Asprotect 2.0 Shell Example
[Observation]: Win98's Notepad
[Tu]: Olydbg1.1 (DIY Version), Lordpe, ImportRec1.6F
[Renuction]: Simplely taken off the shell of Asprotect
[Operation Platform]: Windows XP SP2
[Author]: loveboom [dfcg] [fcg] [US]
[Brief Description]: There is no article for some time. This article is originally written in the Olympics.
[Detailed Procedure]:
Settings Ignore all exceptions and remove the debug logo.
Loading here:
00401000> 68 01D040> PUSH 0040D001; EP shell entrance
00401005 E8 010000> CALL 0040100B
After loading, the direct G LoadLibrarya runs to the API of LoadLibrarya.
7C801D77> 8BFF MOV EDI, EDI; LOADLIBRARYA
7C801D79 55 PUSH EBP
After arriving, Alt F9 is executed to return:
009884B7 8985 4D29> MOV DWORD PTR SS: [EBP 44294D], EAX; return to here
009884BD C785 5129> MOV DWORD PTR SS: [EBP 442951], 0
......
009885C1 61 POPAD
009885c2 75 08 jnz short 009885cc; see here, friends who have followed Aspack is what is here.
009885c4 b8 010000> MOV EAX, 1
009885c9 C2 0C00 RETN 0C
009885cc 68 000000> Push 0; if you decompress your hous code, you will put the address returned by PUSH.
009885d1 C3 RETN
Return to 009884B7, right-click all strings, then find these things in the character serial window:
Double click on 10 there to the CPU window:
0096cd66 / 75 0a jnz short 0096cd72
0096cd68 | 68 c8d096> push 96d0c8; double click here, find the code to start
0096cd6d | e8 be6dff> Call 00963B30
Find here:
0096cc70 / eb 01 JMP short 0096cc73
0096cc72 | 90 NOP
0096cc73 / 8b43 08 MOV EAX, DWORD PTR DS: [EBX 8]; here starts to process IAT
0096cc76 8b30 MOV ESI, DWORD PTR DS: [EAX]
0096cc78 8343 08 0> Add dword PTR DS: [EBX 8], 4
0096cc7c 8b43 08 MOV Eax, DWORD PTR DS: [EBX 8]
0096cc7f 8a00 MOV Al, Byte Ptr DS: [EAX]
0096cc81 884424 07 MOV BYTE PTR SS: [ESP 7], AL0096CC85 FF43 08 Inc DWORD PTR DS: [EBX 8]
0096cc88 85f6 Test ESI, ESI
0096cc8a 75 1a jnz short 0096cca6; here the input table is handled, if not jumping
0096cc8c EB 01 JMP Short 0096cc8f
......
0096ccc9 FF43 08 Inc DWORD PTR DS: [EBX 8]
0096cccc 84c0 Test Al, Al; related processing to the value of Al
0096ccce 75 20 jnz short 0096ccf0
......
0096CD59 8B4424 14 MOV EAX, DWORD PTR SS: [ESP 14]
0096CD5D E8 DeECFF> CALL 0096BA40; GetProcAddress
0096cd62 8Be8 MOV EBP, EAX
0096cd64 85ed Test EBP, EBP
0096cd66 75 0a jnz short 0096cd72; judgment whether the API is successful
0096cd68 68 c8d096> push 96d0c8; double click here, find the code to start
0096cd6d e8 be6dff> Call 00963B30
0096CD72 837C24 20> CMP DWORD PTR SS: [ESP 20], 0
......
0096 CDF7 E8 8469FF> Call 00963780; Treatment to IAT when Al is 2, follow
0096cdfc ^ E9 72FEFF> JMP 0096CC73; handling over
......
Follow up:
00963756 8BC0 MOV EAX, EAX
00963758 55 Push EBP
00963759 8bec MOV EBP, ESP
0096375B 53 PUSH EBX
0096375C 8BD8 MOV EBX, EAX
0096375e 8bc2 MOV EAX, EDX
00963760 8bd1 MOV EDX, ECX
00963762 E8 79fff> Call 009636E0
00963767 C603 E9 MOV BYTE PTR DS: [EBX], 0E9; first here is also broken, because here is the OEP of the program
0096376A 8D53 01 LEA EDX, DWORD PTR DS: [EBX 1]; Here the original jump is the beginning of the shell package code
0096376D 8902 MOV DWORD PTR DS: [EDX], EAX
0096376F 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
00963772 8910 MOV DWORD PTR DS: [EAX], EDX
00963774 B8 050000> MOV EAX, 500963779 5B POP EBX
0096377A 5D POP EBP
0096377B C2 0400 RETN 4
0096377E 8BC0 MOV EAX, EAX
00963780 53 Push EBX;
00963781 8BD8 MOV EBX, EAX
00963783 8BC3 MOV EAX, EBX
00963785 E8 56fff> Call 009636E0
0096378A C603 E8 MOV BYTE PTR DS: [EBX], 0E8; here to change IAT to Call XXXXXX style, so we must go in it here
0096378D 43 INC EBX
0096378E 8903 MOV DWORD PTR DS: [EBX], EAX
00963790 5B POP EBX
00963791 C3 RETN
Now let's fix it:
First apply for two spaces, of course, you can also write the code directly to the code, I applied for 00B90000 and 00BA0000 this block memory space, 00b90000 This piece is used to write PATCH code, 00ba0000 is used to save temporary storage The data.
00ba0000 is used to save the base address of the DLL, 00bA0010 is used to save the address to be stored.
After getting these things, we start writing code:
00963781 8BD8 MOV EBX, EAX
00963783 8BC3 MOV EAX, EBX
00963785 E8 56fff> Call 009636E0
0096378A E8 71C822> CALL 00B90000; Call us to change the code
0096378F 90 NOP
00963790 5B POP EBX
00963791 C3 RETN
00b90000 is used to write our own repair code:
00b90000 51 Push ECX; Protection site
00b90001 52 Push EDX
00b90002 8B5424 28 MOV EDX, DWORD PTR SS: [ESP 28]; Remove the base address to EDX
00b90006 3B15 0000> CMP EDX, DWORD PTR DS: [BA0000]; if the base address is the same
00b9000c 74 0d Je Short 00b9001B
00b9000E 8915 0000> MOV DWORD PTR DS: [BA0000], EDX; if the different is written to the new base address
00b90014 8305 1000> Add DWORD PTR DS: [BA0010], 4; Plus the address of the IAT to 4
00b9001B 8B0D 1000> MOV ECX, DWORD PTR DS: [BA0010]; If it is the first time we have to hand write the address of the IAT, I chose 40C000
00b90021 8929 MOV DWORD PTR DS: [ECX], EBP; Write the correct function 00b90023 66: C703 F> MOV WORD PTR DS: [EBX], 15FF; Here you must see the situation of the program, if it is Delphi This may be FF25, because it is C, so this is FF15
00b90028 890E MOV DWORD PTR DS: [ESI], ECX; put the address of the IAT's address to the program
00b9002A 8305 1000> Add DWORD PTR DS: [BA0010], 4; Save the address of IAT 4
00b90031 5A POP EDX; Restore site
00b90032 59 POP ECX
00b90033 c3 Retn; return to the shell and continue
Processing from Al = 1:
0096CE07 ^ / E9 67FEFF> JMP 0096CC73
0096CE0C 3C 01 CMP AL, 1; when Al = 1
0096ce0e 0f85 b200> jnz 0096cec6
......
0096CE7E A1 B8A697> MOV Eax, DWORD PTR DS: [97A6B8]
0096CE83 8B00 MOV EAX, DWORD PTR DS: [EAX]
0096CE85 FFD0 Call Eax; getProcAddress
0096 Ce87 8Be8 MOV EBP, EAX
0096CE89 85ED TEST EBP, EBP
0096CE8B 75 0A jnz short 0096ce97; if it is successful, jump
0096CE8D 68 D8D096> Push 96D0D8; ASCII "11
"
0096 CE92 E8 996CFF> Call 00963B30
0096CE97 8B0424 MOV EAX, DWORD PTR SS: [ESP]
0096ce9a 50 Push EAX
0096CE9B 68 08BC96> Push 96bc08
0096CEA0 8D4C24 20 LEA ECX, DWORD PTR SS: [ESP 20]
0096CEA4 8BD5 MOV EDX, EBP
0096CEA6 8BC3 MOV EAX, EBX
0096CEA8 E8 BFF4FF> CALL 0096C36C
0096ce 8b5424 0c MOV EDX, DWORD PTR SS: [ESP C]; Here the shell should be handled against IAT, we have to fix it with yourself.
0096 CEB1 8902 MOV DWORD PTR DS: [EDX], Eax; Write our own code
0096CEB3 8B4424 0C MOV EAX, DWORD PTR SS: [ESP C]
0096 CEB7 8906 MOV DWORD PTR DS: [ESI], EAX0096CEB9 0fb74424> Movzx Eax, Word PTR SS: [ESP 4]
0096CEBE 0143 08 Add DWORD PTR DS: [EBX 8], EAX
0096cec1 ^ E9 ADFDFF> JMP 0096CC73; Jump back
When AL = 1 repair code:
0096CEA8 E8 BFF4FF> CALL 0096C36C
0096ce E8 8E3122> Call 00b90040
0096ceb2 90 NOP
0096ceb3 90 NOP
0096ceb4 90 NOP
0096ceb5 90 NOP
0096ceb6 90 NOP
0096ceb7 90 NOP
0096ceb8 90 NOP
0096ceb9 0fb74424> Movzx Eax, Word PTR SS: [ESP 4]
0096CEBE 0143 08 Add DWORD PTR DS: [EBX 8], EAX
0096cec1 ^ E9 ADFDFF> JMP 0096CC73
The repair code at 00b90040:
00b90040 51 Push ECX; Protection site
00b90041 52 Push EDX
00b90042 8b5424 20 MOV EDX, DWORD PTR SS: [ESP 20]; Take out of course the base address to handle the DLL
00b90046 3B15 0000> CMP EDX, DWORD PTR DS: [BA0000]; if the base address is the same
00b9004c 74 0d Je Short 00b9005B
00b9004e 8915 0000> MOV DWORD PTR DS: [BA0000], EDX
00b90054 8305 1000> Add DWORD PTR DS: [BA0010], 4
00b9005B 8B0D 1000> MOV ECX, DWORD PTR DS: [BA0010]; 1.0040C004
00b90061 8929 MOV DWORD PTR DS: [ECX], EBP; write IAT to the address we want to specify, is 40C000
00b90063 890E MOV DWORD PTR DS: [ESI], ECX; That saving function address write
00b90065 8305 1000> Add DWORD PTR DS: [BA0010], 4
00b9006c 5a POP EDX
00b9006d 59 POP ECX; restore site
00b9006e c3 Retn; execution to return
It has been processed by AL = 4:
0096CEC6 3C 04 CMP Al, 4; When Al is 4, there are two branches
0096cec8 0F85 F400> JNZ 0096CFC2
0096 Cece EB 01 JMP Short 0096CED10096CED0 90 NOP
0096Ced1 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096CED4 8A00 MOV Al, Byte Ptr DS: [EAX]
0096 CED6 FF43 08 Inc DWORD PTR DS: [EBX 8]
0096Ced9 84c0 Test Al, Al
0096 Cedb 75 5b Jnz Short 0096CF38; If you jump here, it is the same as the processing at Al = 1.
0096CEDD 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]; here is the first branch at Al = 4
0096CEE0 8B30 MOV ESI, DWORD PTR DS: [EAX]
0096CEE2 8343 08 0> Add dword PTR DS: [EBX 8], 4
0096CEE6 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096CEE9 8B28 MOV EBP, DWORD PTR DS: [EAX]
0096Ceeb 8343 08 0> Add dword PTR DS: [EBX 8], 4
0096CEEF 8B43 08 MOV Eax, DWORD PTR DS: [EBX 8]
0096CEF2 8B00 MOV EAX, DWORD PTR DS: [EAX]
0096CEF4 894424 2C MOV DWORD PTR SS: [ESP 2C], EAX
0096CEF8 8343 08 0> Add DWORD PTR DS: [EBX 8], 4
0096CEFC 837B 30 0> CMP DWORD PTR DS: [EBX 30], 0
0096CF00 75 0A JNZ SHORT 0096CF0C
0096CF02 68 E8D096> PUSH 96D0E8; ASCII "81
"
0096CF07 E8 246cff> Call 00963B30
0096CF0C 8D5424 30 LEA EDX, DWORD PTR SS: [ESP 30]
0096CF10 8BC3 MOV EAX, EBX
0096cf12 E8 8DF8FF> Call 0096C7A4; this CALL is going in, because this is the address to save the IAT.
Go in and see:
0096C7A4 53 PUSH EBX
0096C7A5 56 Push ESI
0096C7A6 8BF2 MOV ESI, EDX
0096C7A8 8BD8 MOV EBX, EAX
0096C7AA B8 040000> MOV EAX, 4
0096C7AF E8 985DFE> CALL 0095254C
0096C7B4 8906 MOV DWORD PTR DS: [ESI], EAX; Fill the calculated address in [ESI]
0096C7B6 8B43 40 MOV EAX, DWORD PTR DS: [EBX 40]
0096C7B9 8946 04 MOV DWORD PTR DS: [ESI 4], EAX0096C7BC 5E POP ESI
0096C7BD 5B POP EBX
0096C7BE C3 RETN
Here, the first branch first, the second branch we can completely call the code at Al = 1, Al = 4 Repair Code of the first branch:
0096C7A4 53 PUSH EBX
0096C7A5 56 Push ESI
0096C7A6 8BF2 MOV ESI, EDX
0096C7A8 8BD8 MOV EBX, EAX
0096C7AA B8 040000> MOV EAX, 4
0096C7AF E8 985DFE> CALL 0095254C
0096C7B4 E8 C13822> CALL 00B9007A
0096C7B9 8946 04 MOV DWORD PTR DS: [ESI 4], EAX
0096C7BC 5E POP ESI
0096C7BD 5B POP EBX
0096C7BE C3 RETN
00b9007a repair code:
00b9007a 51 Push ECX; Protection site
00b9007B 52 Push EDX
00b9007C 8B5424 2C MOV EDX, DWORD PTR SS: [ESP 2C]; Take out of course the base address to process DLL
00b90080 3B15 0000> CMP EDX, DWORD PTR DS: [BA0000]; kernel32.7c800000
00b90086 74 0d Je Short 00b90095
00b90088 8915 0000> MOV DWORD PTR DS: [BA0000], EDX
00b9008E 8305 1000> Add dword PTR DS: [BA0010], 4
00b90095 8B0D 1000> MOV ECX, DWORD PTR DS: [BA0010]; 1.0040C020
00b9009b 890e MOV DWORD PTR DS: [ESI], ECX; Take out We want to save IAT address to [ESI]
00b9009d 8305 1000> Add dword PTR DS: [BA0010], 4
00b900A4 5A POP EDX
00b900A5 59 POP ECX; restore site
00b900A6 8B43 40 MOV EAX, DWORD PTR DS: [EBX 40]; Execute our previous "eat" dropped code
00b900A9 C3 RETN; execution to return
......
0096CF17 8B4424 2C MOV EAX, DWORD PTR SS: [ESP 2C]
0096CF1B 50 Push EAX
0096CF1C 8D4424 34 LEA Eax, DWORD PTR SS: [ESP 34]
0096cf20 50 push eax0096cf21 55 push ebp
0096CF22 A1 70A597> MOV EAX, DWORD PTR DS: [97A570]
0096CF27 8B00 MOV EAX, DWORD PTR DS: [EAX]
0096cf29 50 Push EAX
0096CF2A 56 Push ESI
0096CF2B 8B4424 28 MOV EAX, DWORD PTR SS: [ESP 28]
0096cf2f 50 push eax
0096CF30 FF53 30 Call DWORD PTR DS: [EBX 30]; Calculate function and write address here
0096cf33 ^ E9 3BFDFF> JMP 0096CC73
0096CF38 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096CF3B 8B00 MOV EAX, DWORD PTR DS: [EAX]
0096CF3D 890424 MOV DWORD PTR SS: [ESP], EAX
0096CF40 8343 08 0> Add dword PTR DS: [EBX 8], 4
0096CF44 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096CF47 66: 8B00 MOV AX, Word PTR DS: [EAX]
0096CF4A 66: 894424> MOV Word PTR SS: [ESP 4], AX
0096CF4F 8343 08 0> Add dword PTR DS: [EBX 8], 2
0096CF53 8B0C24 MOV ECX, DWORD PTR SS: [ESP]
0096CF56 66: 8B5424> MOV DX, WORD PTR SS: [ESP 4]
0096CF5B 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096CF5E E8 91ABFF> Call 00967AF4
0096CF63 8B4424 10 MOV EAX, DWORD PTR SS: [ESP 10]
0096cf67 e8 E055FE> CALL 0095254C
0096CF6C 894424 0C MOV DWORD PTR SS: [ESP C], EAX
0096CF70 8B43 08 MOV EAX, DWORD PTR DS: [EBX 8]
0096cf73 50 push eax
0096CF74 8B4424 18 MOV EAX, DWORD PTR SS: [ESP 18]
0096cf78 50 Push EAX
0096CF79 A1 B8A697> MOV EAX, DWORD PTR DS: [97A6B8]
0096CF7E 8B00 MOV EAX, DWORD PTR DS: [EAX]
0096CF80 FFD0 Call Eax; getProcAddress
0096cf82 8be8 MOV EBP, EAX
0096cf84 85ed Test EBP, EBP
0096CF86 75 0C jnz short 0096cf94; if it is successful, jump
0096CF88 68 F8D096> Push 96D0F8; ASCII "250"
0096CF8D E8 9E6BFF> CALL 00963B30
0096CF92 EB 15 JMP Short 0096CFA9
0096CF94 A1 ECA597> MOV EAX, DWORD PTR DS: [97A5EC]
0096CF99 3B28 CMP EBP, DWORD PTR DS: [EAX]
0096cf9b 75 0c jnz short 0096cfa9
0096CF9D 837B 34 0> CMP DWORD PTR DS: [EBX 34], 0
0096cfa1 74 06 Je Short 0096CFA9
0096CFA3 8B6B 34 MOV EBP, DWORD PTR DS: [EBX 34]
0096CFA6 036B 40 Add EBP, DWORD PTR DS: [EBX 40]
0096CFA9 8B4424 0C MOV EAX, DWORD PTR SS: [ESP C]; like this is the same as Al = 1, this is the second branch
0096CFAD 8928 MOV DWORD PTR DS: [EAX], EBP
0096CFAF 8B4424 0C MOV Eax, DWORD PTR SS: [ESP C]
0096cfb3 8906 MOV DWORD PTR DS: [ESI], EAX
0096cfb5 0fb74424> Movzx Eax, Word PTR SS: [ESP 4]
0096cfba 0143 08 Add DWORD PTR DS: [EBX 8], EAX
0096cfbd ^ e9 b1fcff> JMP 0096CC73
......
The second branch process, this is very simple, we only change a few lines of code, change to this:
0096CFA9 E8 923022> Call 00b90040; and Al = 1
0096cfae 90 NOP
0096cfaf 90 NOP
0096cfb0 90 NOP
0096cfb1 90 NOP
0096cfb2 90 NOP
0096cfb3 90 NOP
0096cfb4 90 NOP
There is no case in this program, so I don't say much.
Ok, we remember this after handling IAT:
00963767 C603 E9 MOV BYTE PTR DS: [EBX], 0E9
Directly at this 00963767, then run, interrupt here, we know that [EBX] here is OEP to save our target program, this program to Delphi may be interrupted once, but jump The place must be the code of the shell package.
00963756 8BC0 MOV EAX, EAX
00963758 55 Push EBP
00963759 8bec MOV EBP, ESP
0096375B 53 PUSH EBX
0096375C 8BD8 MOV EBX, EAX
0096375e 8bc2 MOV EAX, EDX
00963760 8bd1 MOV EDX, ECX
00963762 E8 79fff> Call 009636E0
00963767 C603 E9 MOV BYTE PTR DS: [EBX], 0E9
0096376A 8D53 01 LEA EDX, DWORD PTR DS: [EBX 1]; Here the original jump is the beginning of the shell package code
0096376D 8902 MOV DWORD PTR DS: [EDX], EAX
0096376F 8B45 08 MOV EAX, DWORD PTR SS: [EBP 8]
00963772 8910 MOV DWORD PTR DS: [EAX], EDX
00963774 B8 050000> MOV EAX, 5
00963779 5B POP EBX
0096377A 5D POP EBP
0096377B C2 0400 RETN 4; directly to here, then see it at 4010cc
......
004010cc - E9 48f177> JMP 00b80219; where the jump here is the beginning of the code of the shell package
004010d1 7d 5e JGE Short 00401131
004010d3 ff15 00c0> Call DWORD PTR DS: [40C000]; kernel32.GetcommandLinea
00b80219 is the beginning of the shell performing the original procedure. So we are directly under 00b80219, then run, we can compare the smoked code.
00b80219 55 Push EBP; next to it, this is the first line of code of the program
00b8021a 336c24 08 xor EBP, DWORD PTR SS: [ESP 8]
00b8021e 336c24 28 xor EBP, DWORD PTR SS: [ESP 28]
00b80222 8bec MOV EBP, ESP; second line
......
00b80273 83ec 44 SUB ESP, 44; Third line
00b80276 56 push ESI; last line code
00b80277 ^ E9 ADFFF> JMP 00B80229
This way to find the code to find it, of course, if it is a plus code of Delphi or other C, it is not so small.
Ok, now we are on the code, then DUMP and fix it.
Greetz:
Fly.jingulong, Yock, Tdasm.david.ahao.ufo (brother) .alan (Sister) .all of my friends and you!
By LoveBoom [DFCG] [FCG]
Email: bmd2chen@tom.com
